Provide generic SAST analyzer for custom security scans
Problem to solve
We often get requests to customize our Category:SAST analyzers, for example #6239 (closed). This can often be difficult to support given the variety of tools we utilize and the variations on rulesets customers desire.
Many of our underlying tools do not provide a way to customize their behavior which requires us to either contribute upstream to them or modify their behavior. As such, we should consider a generic pattern-matcher which customers can utilize to scan for a predefined set of rules. This would be disabled by default but can be enabled with an additional job definition and inclusion in the DEFAULT_ANALYZERS
ENV configuration
Intended users
Persona: Software developer Persona: Development Team Lead
Further details
Proposal
Provide a generic
SAST analyzer that wraps a regex engine. this analyzer requires input configuration of a regex rule list and scans a project for the given patterns. It also accepts a configurable severity level, confidence level, and scanner name in order to report the findings more precisely.
docker run \
--interactive --tty --rm \
--volume "$PWD":/tmp/app \
--env CI_PROJECT_DIR=/tmp/app \
--env RULELIST=./my_custom_regexes.toml \
--env DEFAULT_SEVERITY=high \
--env SCANNER_NAME="Custom Java Scanner" \
registry.gitlab.com/gitlab-org/security-products/analyzers/generic:12-1-stable /analyzer run
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
Customers can enable an analyzer with a simple YAML
or TOML
configuration. This allow their scans to track findings outside the scope of our default analyzers.
Customers do not need to create custom images or compile analyzers in order to use custom rulesets.
What is the type of buyer?
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.